AdaptHealth disclosed a material cybersecurity incident after attackers used social engineering against a third-party contractor, compromised the contractor’s credentials, and accessed the company’s cloud-based business applications. The intrusion exposed internal patient management systems, document storage platforms, external electronic health record portals, and a stored password file tied to insurance billing, with patient personally identifiable information and protected health information believed to have been stolen. The company said the attacker contacted it on June 15 to disclose the theft, and it later determined the breach was material enough to report to the SEC.
AdaptHealth said it disabled the contractor account, reset credentials, added access controls, engaged third-party cybersecurity experts, and notified law enforcement while the investigation continues. The company reported that operations and patient services were not disrupted, the total number of affected individuals is still unknown, and Social Security numbers, financial account information, and payment card data are not believed to have been stored in the compromised systems. Reporting also indicated the activity may be consistent with a data-theft-and-extortion attempt linked to ShinyHunters, which allegedly listed AdaptHealth on a leak site and threatened to publish the stolen data if no ransom is paid.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
Reporting said the activity appeared consistent with a data theft and extortion attempt by ShinyHunters, which allegedly listed AdaptHealth on its leak site and threatened to publish stolen data if a ransom was not paid.
AdaptHealth disclosed the material cybersecurity incident, said it had engaged third-party cybersecurity experts, and reported the matter to law enforcement while continuing to investigate the breach and its financial impact.
AdaptHealth said a social engineering attack against a third-party contractor led to compromise of the contractor’s credentials and unauthorized access to certain cloud-based business applications, including patient management systems, document storage platforms, a password file tied to insurance billing, and external EHR portals.
After discovering the compromise, AdaptHealth disabled the contractor account, reset credentials, and added access controls. The company said it believes the attack is contained while the investigation into scope continues.
On 2026-06-27, AdaptHealth determined the cybersecurity incident was material and required disclosure to the SEC.
On 2026-06-15, the attacker contacted AdaptHealth to disclose that data had been stolen from the company’s environment.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.